ADFS for SSO

I'm looking to setup ADFS for a SSO solution connection to a 3rd party web app.  Looking for some best practices/gotcha's/recommendations.

Thank you,
VeresenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jamie McKillopIT ManagerCommented:
Hello,

From my experiences, one thing to consider is whether or not you plan to deploy an ADFS proxy. Best practice is to put your ADFS server behind your firewall and then put an ADFS proxy in your DMZ, if you want users outside your firewall to be able to access ADFS. The proxy uses forms-based authentication while the ADFS server itself will use NTLM/Kerberos. You will need to have split-DNS setup (Two separate DNS infrastructures for the same zone; one internal and one external). This is because ADFS can only be setup with a single hostname. Users behind your firewall would resolve the hostname to the IP of the internal ADFS server and users outside your firewall would resolve to your public IP of the proxy.

For redundancy, your can setup ADFS in a cluster. You would then put a load balancer in front of the ADFS servers and point your DNS entry to the VIP on the LB. You can also cluster across sites if you want site resiliency. If your primary site went down, you would change the DNS entries to point to the other site.

Let me know if you have any further questions.

JJ
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VeresenAuthor Commented:
External parties will not be connecting, they will use a VPN or Citrix for authentication from external so I don't see a need for a Split DNS setup.
I will be using an ADFS proxy and I will not do a cluster for now.

Thank you for your response.
0
VeresenAuthor Commented:
I've read MS recommends 0-1000 users to just install ADFS on your DC's but have found conflicting reports saying this is not recommended.  Please advise on Best Practices for this.

Thanks,
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Jamie McKillopIT ManagerCommented:
Personally, I would not install on a DC. I prefer to not add additional services to my DCs.

JJ
0
VeresenAuthor Commented:
For the SSL cert do you typically use one specific to ADFS? We have a Standard UCC SSL purchased already.

Thanks,
0
Jamie McKillopIT ManagerCommented:
No, It doesn't need to be specific to ADFS. I use a wildcard cert.

JJ
0
VeresenAuthor Commented:
Right now we have a Standard.  
I'm trying to justify a wilcard Cert purchase.
If we end up deploying ADFS to many SSO 3rd party solutions does each of those require a separate cert? Or would they all be able to leverage one?
0
Jamie McKillopIT ManagerCommented:
You only need one cert as you cannot have multiple hostnames on your ADFS server.

JJ
0
VeresenAuthor Commented:
We will be clustering everything now.  When you said the 'public IP of the proxy' You mean the natted public IP address which points to the VIP of the Proxy cluster?
0
Jamie McKillopIT ManagerCommented:
Yes, that is correct. If you are using NLB or a hardware load balancer for your proxy, you would point to the VIP.

-JJ
0
VeresenAuthor Commented:
Perfect, thank you for your help so far.
Up until this project there has not been a need for DNS in DMZ.  Can you give a bit more detail on what best practices say for DNS setup in the DMZ?  Right now we only have internal DNS and hosted DNS for external.
We have the ability to talk to the DMZ via name resolution but not the other way.
0
Jamie McKillopIT ManagerCommented:
If you are referring to the split-dns, that involves recreating your external DNS zone on your internal DNS servers. That can be a little tricky. You basically need to recreate every DNS record that exists on your external zone. The internal and external copies of the zone are completely separate and need to be manged individually. For example, if you want to add a new record for a public facing web server, you would need to create the record in both places. What this allows you to do is use internal private IPs on the internal copy of the zone and public IPs on the external copy of the zone. in the case of ADFS, this allow you to specify the public IP of the proxy on the internal zone and the private IP of the ADFS server on the internal zone, which will allow internal users to bypass the proxy.

-JJ
0
VeresenAuthor Commented:
Is Split DNS a necessity for using ADFS proxy?
0
Jamie McKillopIT ManagerCommented:
It is if you want seamless login for your internal users. If you don't care that everyone goes through the proxy and uses forms based authentication, you can skip the split-dns.

-JJ
0
VeresenAuthor Commented:
More of a delay in authentication being the only concern?
0
Jamie McKillopIT ManagerCommented:
Just that the user needs to manually enter credentials when using the proxy.

-JJ
0
VeresenAuthor Commented:
So no SSO... That kind of defeats our goal here.
0
Jamie McKillopIT ManagerCommented:
Correct.

-JJ
0
VeresenAuthor Commented:
If users are only connecting to this 3rd party application from inside, is the Proxy redundant? From what I've read the Proxy is only used when authenticating from external.
0
Jamie McKillopIT ManagerCommented:
Correct. You do not need the proxy if your users are connected to your network or are on your VPN.

-JJ
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.